Hashicorp Vault: Python hvac看不到secrets

huangapple go评论58阅读模式
英文:

Hashicorp Vault: Python hvac does not see secrets

问题

我正在尝试使用HashiCorp Vaulthvac Python客户端。

我已经在本地运行了Vault的Docker容器(开发模式配置),创建了一个KV秘密引擎kv1(使用版本1 API),添加了一个秘密mega_secret,并添加了一个键/值("hell" --> "yeah"),然后尝试使用hvac来读取它。

首先,让我们进入Docker容器终端,检查秘密是否存在:

# vault kv get kv1/mega_secret
==== Data ====
Key     Value
---     -----
hell    yeah

现在我正在尝试使用hvac来读取它。

import hvac

client = hvac.Client(url="http://localhost:8200", token="hvs.4MzADdB9pIHAggqaQWQZASx0", namespace="")
assert client.is_authenticated()
assert not client.sys.is_sealed()

print(client.kv.v1.read_secret(path="kv1/mega_secret"))  # 这里会发生崩溃

错误信息:

hvac.exceptions.InvalidPath: no handler for route "secret/kv1/mega_secret". 
route entry not found., on get http://localhost:8200/v1/secret/kv1/mega_secret

如何修复它?

英文:

I'm trying to use HashiCorp Vault with hvac Python client.

I've run vault docker container (development mode config) on localhost, created a KV secret engine kv1 (with version 1 API), added a secret mega_secret, added a key/value ("hell" --> "yeah") it it and tried to read it with hvac.

At first, let's go to docker container terminal and check that the secret is alive:

# vault kv get kv1/mega_secret
==== Data ====
Key     Value
---     -----
hell    yeah

And now I'm trying to read it with hvac.

import hvac

client = hvac.Client(url="http://localhost:8200", token="hvs.4MzADdB9pIHAggqaQWQZASx0", namespace="")
assert client.is_authenticated()
assert not client.sys.is_sealed()

print(client.kv.v1.read_secret(path="kv1/mega_secret"))  # Here will be crash

Error message:

hvac.exceptions.InvalidPath: no handler for route "secret/kv1/mega_secret". 
route entry not found., on get http://localhost:8200/v1/secret/kv1/mega_secret

How can it be fixed?

答案1

得分: 2

Vault可以多次挂载相同的秘密引擎,每个引擎都有自己的挂载点。您选择使用kv1,这没有问题。

HVAC默认假定`secret是挂载点的名称

您可以通过指定挂载点来读取您的秘密,如下所示:

client.kv.v1.read_secret(mount_point="kv1", path="mega_secret")
英文:

Vault can mount the same secret engine multiple times, each on its own mount point. You have chosen to use kv1, no problem with that.

HVAC assumes that secret is the name of the mount point by default.

You will be able to read your secret by specifying the mount point like this:

client.kv.v1.read_secret(mount_point="kv1", path="mega_secret")

huangapple
  • 本文由 发表于 2023年2月10日 04:00:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/75403840.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定